<!DOCTYPE html>
<html lang="en">
<head>

    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />

    <title>QNAP NAS users, make sure you check your system</title>
    <meta name="HandheldFriendly" content="True" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />

    <link rel="stylesheet" type="text/css" href="/assets/built/screen.css?v=db215a41fd" />

    <link rel="shortcut icon" href="/favicon.png" type="image/png" />
    <link rel="canonical" href="https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/" />
    <meta name="referrer" content="no-referrer-when-downgrade" />
    <link rel="amphtml" href="https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/amp/" />
    
    <meta property="og:site_name" content="360 Netlab Blog - Network Security Research Lab at 360" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="QNAP NAS users, make sure you check your system" />
    <meta property="og:description" content="Background
On March 2, 2021, 360Netlab Threat Detection System started to report attacks
targeting the widely used QNAP NAS devices via the unauthorized remote command
execution vulnerability (CVE-2020-2506 &amp; CVE-2020-2507)[1]
[https://www.qnap.com.cn/en/security-advisory/qsa-20-08], upon successful
attack, the attacker will gain root privilege on the device and perform
malicious mining activities.

Due to the possible big impact, we contacted and informed the vendor on March 3,
and decided to s" />
    <meta property="og:url" content="https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/" />
    <meta property="article:published_time" content="2021-03-05T14:00:00.000Z" />
    <meta property="article:modified_time" content="2021-03-12T03:12:11.000Z" />
    <meta property="article:tag" content="QNAP" />
    <meta property="article:tag" content="UnityMiner" />
    <meta property="article:tag" content="CVE-2020-2506" />
    <meta property="article:tag" content="CVE-2020-2507" />
    
    <meta name="twitter:card" content="summary" />
    <meta name="twitter:title" content="QNAP NAS users, make sure you check your system" />
    <meta name="twitter:description" content="Background
On March 2, 2021, 360Netlab Threat Detection System started to report attacks
targeting the widely used QNAP NAS devices via the unauthorized remote command
execution vulnerability (CVE-2020-2506 &amp; CVE-2020-2507)[1]
[https://www.qnap.com.cn/en/security-advisory/qsa-20-08], upon successful
attack, the attacker will gain root privilege on the device and perform
malicious mining activities.

Due to the possible big impact, we contacted and informed the vendor on March 3,
and decided to s" />
    <meta name="twitter:url" content="https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/" />
    <meta name="twitter:label1" content="Written by" />
    <meta name="twitter:data1" content="Ma Yanlong" />
    <meta name="twitter:label2" content="Filed under" />
    <meta name="twitter:data2" content="QNAP, UnityMiner, CVE-2020-2506, CVE-2020-2507" />
    <meta name="twitter:site" content="@360Netlab" />
    <meta name="twitter:creator" content="@_O_owl" />
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "360 Netlab Blog - Network Security Research Lab at 360",
        "logo": "https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png"
    },
    "author": {
        "@type": "Person",
        "name": "Ma Yanlong",
        "image": {
            "@type": "ImageObject",
            "url": "https://blog.netlab.360.com/content/images/2021/03/10304781141DA34C81786383D28B48CE4E00966932.jpg",
            "width": 640,
            "height": 640
        },
        "url": "https://blog.netlab.360.com/author/mayanlong/",
        "sameAs": [
            "https://twitter.com/_O_owl"
        ]
    },
    "headline": "QNAP NAS users, make sure you check your system",
    "url": "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/",
    "datePublished": "2021-03-05T14:00:00.000Z",
    "dateModified": "2021-03-12T03:12:11.000Z",
    "keywords": "QNAP, UnityMiner, CVE-2020-2506, CVE-2020-2507",
    "description": "Background\nOn March 2, 2021, 360Netlab Threat Detection System started to report attacks\ntargeting the widely used QNAP NAS devices via the unauthorized remote command\nexecution vulnerability (CVE-2020-2506 &amp; CVE-2020-2507)[1]\n[https://www.qnap.com.cn/en/security-advisory/qsa-20-08], upon successful\nattack, the attacker will gain root privilege on the device and perform\nmalicious mining activities.\n\nDue to the possible big impact, we contacted and informed the vendor on March 3,\nand decided to s",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://blog.netlab.360.com/"
    }
}
    </script>

    <script src="/public/ghost-sdk.min.js?v=db215a41fd"></script>
<script>
ghost.init({
	clientId: "ghost-frontend",
	clientSecret: "2a7213b591a9"
});
</script>
    <meta name="generator" content="Ghost 2.13" />
    <link rel="alternate" type="application/rss+xml" title="360 Netlab Blog - Network Security Research Lab at 360" href="https://blog.netlab.360.com/rss/" />
    
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-83587830-1', 'auto');
  ga('send', 'pageview');

</script>

<!-- Fix first paragraph font size -->
<style type="text/css">
 .post-template .post-content > p:first-child {font-size: 1em;}
</style>

</head>
<body class="post-template tag-qnap tag-unityminer tag-cve-2020-2506 tag-cve-2020-2507">

    <div class="site-wrapper">

             <header
    class="site-header outer">
    <div class="inner">
        <nav class="site-nav">
    <div class="site-nav-left">
                <a class="site-nav-logo" href="https://blog.netlab.360.com"><img src="https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png" alt="360 Netlab Blog - Network Security Research Lab at 360" /></a>
            <ul class="nav" role="menu">
    <li class="nav-botnet" role="menuitem"><a href="https://blog.netlab.360.com/tag/botnet/">Botnet</a></li>
    <li class="nav-dnsmon" role="menuitem"><a href="https://blog.netlab.360.com/tag/dnsmon/">DNSMon</a></li>
    <li class="nav-ddos" role="menuitem"><a href="https://blog.netlab.360.com/tag/ddos/">DDoS</a></li>
    <li class="nav-passivedns" role="menuitem"><a href="https://blog.netlab.360.com/tag/pdns/">PassiveDNS</a></li>
    <li class="nav-marai" role="menuitem"><a href="https://blog.netlab.360.com/tag/mirai/">Marai</a></li>
    <li class="nav-dta" role="menuitem"><a href="https://blog.netlab.360.com/tag/dta/">DTA</a></li>
</ul>

    </div>
    <div class="site-nav-right">
        <div class="social-links">
                <a class="social-link social-link-tw" href="https://twitter.com/360Netlab" title="Twitter" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
</a>
        </div>
            <a class="rss-button" href="https://feedly.com/i/subscription/feed/https://blog.netlab.360.com/rss/" title="RSS" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><circle cx="6.18" cy="17.82" r="2.18"/><path d="M4 4.44v2.83c7.03 0 12.73 5.7 12.73 12.73h2.83c0-8.59-6.97-15.56-15.56-15.56zm0 5.66v2.83c3.9 0 7.07 3.17 7.07 7.07h2.83c0-5.47-4.43-9.9-9.9-9.9z"/></svg>
</a>
    </div>
</nav>
    </div>
    </header>


    <main id="site-main" class="site-main outer">
        <div class="inner">

            <article class="post-full post tag-qnap tag-unityminer tag-cve-2020-2506 tag-cve-2020-2507 no-image">

                <header class="post-full-header">
                    <section class="post-full-meta">
                        <time class="post-full-meta-date" datetime="2021-03-05">5 March                            2021</time>
                        <span class="date-divider">/</span> <a href="/tag/qnap/">QNAP</a>
                    </section>
                    <h1 class="post-full-title">QNAP NAS users, make sure you check your system</h1>
                </header>


                <section class="post-full-content">
                    <div class="post-content">
                        <h3 id="background">Background</h3>
<p>On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 &amp; CVE-2020-2507)<a href="https://www.qnap.com.cn/en/security-advisory/qsa-20-08">[1]</a>, upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.</p>
<p>Due to the possible big impact, we contacted and informed the vendor on March 3, and decided to share some information with this quick blog.</p>
<p>Note 1, there is currently no public available PoC for CVE-2020-2506 &amp; CVE-2020-2507, also according to the vendor’s request, we are not disclosing the technical details of the vulnerability in order to protect QNAP NAS users, we speculate that there are still hundreds of thousands of online QNAP NAS devices with the vulnerability.</p>
<p>We named the mining program UnityMiner, we noticed the attacker customized the program by hiding the mining process and the real CPU memory resource usage information, so when the QNAP users check the system usage via the WEB management interface, they cannot see the abnormal system behavior.</p>
<p>Previously We have disclosed another QNAP NAS in-the-wild vulnerability attack here<a href="https://blog.netlab.360.com/in-the-wild-qnap-nas-attacks/">[2]</a>.</p>
<h3 id="vulnerabilityimpact">Vulnerability impact</h3>
<p>Our 360 FirmwareTotal system shows that the following models are affected by the vulnerabilities. The QNAP NAS installed Helpdesk app prior to August 2020 is affected. The following is the list of known models that could be vulnerable.</p>
<pre><code>TVS-X73
TVS-X71U
TVS-X71
TVS-X63
TS-XA82
TS-XA73
TS-XA28A
TS-X89U
TS-X88
TS-X85U
TS-X85
TS-X83XU
TS-X82U
TS-X82S
TS-X82
TS-X80U
TS-X80
TS-X77U
TS-X77
TS-X73U
TS-X72U
TS-X72
TS-X63U
TS-X53U
TS-X53S
TS-X53D
TS-X53BU
TS-X53B
TS-X53A
TS-X53
TS-X51U
TS-X51DU
TS-X51B
TS-X51A
TS-X51
TS-X35A
TS-X28A
TS-KVM
TS-879U
TS-879
TS-870U
TS-870
TS-869U
TS-869
TS-859U
TS-859
TS-809U
TS-809
TS-670
TS-669
TS-659
TS-639
TS-569
TS-559
TS-509
TS-470
TS-469U
TS-469
TS-459U
TS-459
TS-439U
TS-439PROII
TS-439
TS-421U
TS-421
TS-420U
TS-420
TS-419U
TS-419P
TS-412U
TS-412
TS-410
TS-269
TS-259
TS-239PROII
TS-239H
TS-239
TS-221
TS-220
TS-219
TS-212
TS-210
TS-1679U
TS-1279U
TS-1270U
TS-1269U
TS-121
TS-120
TS-119
TS-112
TS-110
TS-1079
SS-839
SS-439
SS-2479U
SS-1879U
SS-1279U
QGD-1600
Mustang-200
IS-400
HS-251
HS-210
</code></pre>
<p>And the following is the Geo breakdown of the devices online by using the 360 Quake cyberspace mapping system, all togetherthere are 4,297,426 QNAP NAS, with 951,486 unique IPs.<br>
<a href="https://blog.netlab.360.com/content/images/2021/03/qnap_distribution_en.png"><img src="https://blog.netlab.360.com/content/images/2021/03/qnap_distribution_en.png" class="kg-image"></a></p>
<h3 id="briefanalysisoftheminingkit">Brief analysis of the mining kit</h3>
<h4 id="1overview">1. Overview</h4>
<p>The mining program consists of <code>unity_install.sh</code> and <code>Quick.tar.gz</code>. <code>unity_install.sh</code> is used to download &amp; set up &amp; start the mining program and hijack the <code>manaRequest.cgi</code> program in the original device;</p>
<p><code>Quick.tar.gz</code> contains the miner program, the miner configuration file, the miner startup script and the forged <code>manaRequest.cgi</code>.</p>
<p>Unity is the XMRig miner program</p>
<pre><code>Quick
├── config.json
├── manaRequest.cgi
├── start.sh
└── unity
</code></pre>
<h4 id="2unity_installsh">2. unity_install.sh</h4>
<p><strong>Core functions</strong>：</p>
<ul>
<li>Check if unity process exists, kill if it exists</li>
<li>Check the CPU architecture of the device and download the mining kit for the corresponding architecture, currently it only supports ARM64 and AMD64</li>
<li>Set the mining parameters in <code>config.json</code> based on the number of CPU cores, the program makes sure it only uses half of the cores for mining.</li>
<li>Unpack the mining program, set cron and execute the mining script start.sh (once every minute, time interval is set directly to <code>* * * * * *</code>)</li>
</ul>
<h4 id="3startsh">3. start.sh</h4>
<p><strong>Core function</strong>：</p>
<ul>
<li>Checking for unity process and starting it if it does not exist.</li>
<li>Rename the system file <code>/home/httpd/cgi-bin/management/manaRequest.cgi</code> to <code>manaRequests.cgi</code> (this file is responsible for viewing and modifying the system information of the device)</li>
<li>Copy the <code>manaRequest.cgi</code> file from <code>Quick.tar.gz</code> to the <code>/home/httpd/cgi-bin/management/</code> directory, replacing the system's own file with the same name.</li>
</ul>
<h4 id="4configjson">4. config.json</h4>
<p>The group uses its own Pool(Proxy), so the real XMR Wallet cannot be seen. There are 3 groups of mining configurations, user are &quot;xmr2&quot;, pass are &quot;x&quot;, Pool(Proxy) are as follows.</p>
<pre><code>aquamangts.tk:12933
a.aquamangts.tk:12933
b.aquamangts.tk:12933
</code></pre>
<h4 id="5manarequestcgi">5. manaRequest.cgi</h4>
<p><strong>Core function</strong>：</p>
<ul>
<li>Hijack the system's original file of the same name, after receiving HTTP requests, first detect whether there is a unity mining process in the system, if not, then directly transfer the HTTP request to the system's original file of the same name (has been renamed to <code>manaRequests.cgi</code> ) to process, and then end the execution of.</li>
</ul>
<pre><code>count=`ps -fe | grep unity | grep -v &quot;grep&quot;`
if [ &quot;&quot; == &quot;$count&quot; ];then
    /home/httpd/cgi-bin/management/manaRequests.cgi
    exit 0
fi
</code></pre>
<ul>
<li>If the unity mining process exists on the system, after forwarding the HTTP request to the system's original file of the same name for execution, log the results of the execution (to the <code>.log.log</code> file) and then tamper with the execution results by
<ol>
<li>Subtract 50 from the CPU status data</li>
<li>Delete the unity process information from the execution result</li>
</ol>
</li>
</ul>
<p>So when the user suspects something going on with the device and checks the usage, he will see pretty normal CPU usage and tempc, and all the system processes will look normal.</p>
<h3 id="suggestions">Suggestions</h3>
<p>QNAP NAS users should check and update their firmware promptly.<br>
We recommend that readers monitor and block relevant IPs and URLs mentioned in this blog.</p>
<h3 id="contactus">Contact us</h3>
<p>Readers are always welcomed to reach us on <a href="https://twitter.com/360Netlab"><strong>twitter</strong></a>, or email to netlab at 360<br>
dot cn.</p>
<h3 id="ioc">IoC</h3>
<p>IP:</p>
<pre><code>210.201.136.170     	Taiwan              	ASN9311             	HITRON TECHNOLOGY INC.
</code></pre>
<p>Miner Proxy:</p>
<pre><code>aquamangts.tk:12933
a.aquamangts.tk:12933
b.aquamangts.tk:12933
</code></pre>
<p>URL:</p>
<pre><code>http://c.aquamangts.tk:8080/QFS/install/unity_install.sh
http://c.aquamangts.tk:8080/QFS/arm64/Quick.tar.gz
http://c.aquamangts.tk:8080/QFS/amd64/Quick.tar.gz
</code></pre>
<p>MD5:</p>
<pre><code>0f40086c9e96c9c11232a9175b26c644
1eb01a23a122d077540f83b005abdbfc
97015323b4fd840a40a9d40d2ad4e7af
</code></pre>

                    </div>
                </section>


                <footer class="post-full-footer">


                    <section class="post-full-authors">

    <div class="post-full-authors-content">
        <p>This post was a collaboration between</p>
        <p><a href="/author/mayanlong/">Ma Yanlong</a>, <a href="/author/yegenshen/">Genshen Ye</a></p>
    </div>

    <ul class="author-list">
        <li class="author-list-item">

            <div class="author-card">
                <div class="basic-info">
                        <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2021/03/10304781141DA34C81786383D28B48CE4E00966932.jpg" alt="Ma Yanlong" />
                    <h2>Ma Yanlong</h2>
                </div>
                <div class="bio">
                        <p>Read <a href="/author/mayanlong/">more posts</a> by this author.</p>
                </div>
            </div>

                <a href="/author/mayanlong/" class="moving-avatar">
                    <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2021/03/10304781141DA34C81786383D28B48CE4E00966932.jpg" alt="Ma Yanlong" />
                </a>

        </li>
        <li class="author-list-item">

            <div class="author-card">
                <div class="basic-info">
                        <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/10/1662072805.jpg" alt="Genshen Ye" />
                    <h2>Genshen Ye</h2>
                </div>
                <div class="bio">
                        <p>Read <a href="/author/yegenshen/">more posts</a> by this author.</p>
                </div>
            </div>

                <a href="/author/yegenshen/" class="moving-avatar">
                    <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/10/1662072805.jpg" alt="Genshen Ye" />
                </a>

        </li>

    </ul>

</section>


                </footer>

                <div id="disqus_thread"></div>
                <script>
                    var disqus_config = function () {
                        this.page.url = "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/";
                        this.page.identifier = "ghost-6041cc28d0d9b7000712c2ed"
                    };
                    (function () {
                        var d = document, s = d.createElement('script');
                        s.src = 'https://blog-netlab-360.disqus.com/embed.js';
                        s.setAttribute('data-timestamp', +new Date());
                        (d.head || d.body).appendChild(s);
                    })();
                </script>

            </article>

        </div>
    </main>

    <aside class="read-next outer">
        <div class="inner">
            <div class="read-next-feed">
                <article class="read-next-card"   style="background-image: url(https://blog.netlab.360.com/content/images/size/w600/2019/02/astronomy-constellation-dark-998641-4.jpg)"
                     >
                    <header class="read-next-card-header">
                        <small class="read-next-card-header-sitetitle">&mdash; 360 Netlab Blog - Network Security Research Lab at 360 &mdash;</small>
                        <h3 class="read-next-card-header-title"><a href="/tag/qnap/">QNAP</a></h3>
                    </header>
                    <div class="read-next-divider"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 14.5s2 3 5 3 5.5-2.463 5.5-5.5S21 6.5 18 6.5c-5 0-7 11-12 11C2.962 17.5.5 15.037.5 12S3 6.5 6 6.5s4.5 3.5 4.5 3.5"/></svg>
</div>
                    <div class="read-next-card-content">
                        <ul>
                            <li><a href="/in-the-wild-qnap-nas-attacks-2/">QNAP NAS在野漏洞攻击事件2</a></li>
                            <li><a href="/in-the-wild-qnap-nas-attacks-en/">In the wild QNAP NAS attacks</a></li>
                            <li><a href="/in-the-wild-qnap-nas-attacks/">QNAP NAS在野漏洞攻击事件</a></li>
                        </ul>
                    </div>
                    <footer class="read-next-card-footer">
                        <a href="/tag/qnap/">See all 3 posts →</a>
                    </footer>
                </article>

                <article class="post-card post tag-botnet no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/wei-xie-kuai-xun-z0miner-zheng-zai-li-yong-elasticsearch-he-jenkins-lou-dong-da-si-chuan-bo-2/">

            <header class="post-card-header">
                    <span class="post-card-tags">Botnet</span>
                <h2 class="post-card-title">威胁快讯：z0Miner 正在利用 ElasticSearch 和 Jenkins 漏洞大肆传播</h2>
            </header>

            <section class="post-card-excerpt">
                <p>版权版权声明: 本文为Netlab原创，依据 CC BY-SA 4.0 许可证进行授权，转载请附上出处链接及本声明。概述最近几个月受比特币、门罗币大涨的刺激，各种挖矿家族纷纷活跃起来，我们的 BotMon 系统每天都能检测到几十上百起的挖矿类 Botnet 攻击事件。根据我们统计，它们多数是已经出现过的老家族，有的只是换了新的钱包或者传播方式，z0Miner 就是其中一例。z0Miner 是去年开始活跃的一个恶意挖矿家族，业界已有公开的分析。z0Miner 最初活跃时，利用 Weblogic 未授权命令执行漏洞进行传播。近期，360 网络安全研究院</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        JiaYu
                    </div>

                        <a href="/author/jiayu/" class="static-avatar author-profile-image"><svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><g fill="none" fill-rule="evenodd"><path d="M3.513 18.998C4.749 15.504 8.082 13 12 13s7.251 2.504 8.487 5.998C18.47 21.442 15.417 23 12 23s-6.47-1.558-8.487-4.002zM12 12c2.21 0 4-2.79 4-5s-1.79-4-4-4-4 1.79-4 4 1.79 5 4 5z" fill="#FFF"/></g></svg>
</a>
                </li>
            </ul>

            <span class="reading-time">4 min read</span>

        </footer>

    </div>

</article>

                <article class="post-card post tag-qnap tag-unityminer tag-cve-2020-2506 tag-cve-2020-2507 no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/in-the-wild-qnap-nas-attacks-2/">

            <header class="post-card-header">
                    <span class="post-card-tags">QNAP</span>
                <h2 class="post-card-title">QNAP NAS在野漏洞攻击事件2</h2>
            </header>

            <section class="post-card-excerpt">
                <p>背景介绍 2021年3月2号，360网络安全研究院未知威胁检测系统监测到攻击者正在使用台湾QNAP Systems, Inc.公司的网络存储设备诊断程序(Helpdesk)的未授权远程命令执行漏洞（CVE-2020-2506 &amp; CVE-2020-2507），获取到系统root权限并进行恶意挖矿攻击。 我们将此次挖矿程序命名为UnityMiner，值得注意的是攻击者专门针对QNAP NAS设备特性，隐藏了挖矿进程，隐藏了真实的CPU内存资源占用信息，使用户无法在Web管理界面看到系统异常行为。 2020年10月7号，QNAP Systems, Inc.公司发布安全公告QSA-20-08[1]，并指出已在Helpdesk 3.0.3和更高版本中解决了这些问题。 目前，互联网上还没有公布CVE-2020-2506和CVE-2020-2507的漏洞详细信息，由于该漏洞威胁程度极高，为保护尚未修复漏洞的QNAP NAS用户，</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Ma Yanlong
                    </div>

                        <a href="/author/mayanlong/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2021/03/10304781141DA34C81786383D28B48CE4E00966932.jpg" alt="Ma Yanlong" />
                        </a>
                </li>
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Genshen Ye
                    </div>

                        <a href="/author/yegenshen/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/10/1662072805.jpg" alt="Genshen Ye" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">6 min read</span>

        </footer>

    </div>

</article>

            </div>
        </div>
    </aside>

    <div class="floating-header">
    <div class="floating-header-logo">
        <a href="https://blog.netlab.360.com">
                <img src="https://blog.netlab.360.com/content/images/size/w30/2019/02/netlab_xs-2.png" alt="360 Netlab Blog - Network Security Research Lab at 360 icon" />
            <span>360 Netlab Blog - Network Security Research Lab at 360</span>
        </a>
    </div>
    <span class="floating-header-divider">&mdash;</span>
    <div class="floating-header-title">QNAP NAS users, make sure you check your system</div>
    <div class="floating-header-share">
        <div class="floating-header-share-label">Share this <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
    <path d="M7.5 15.5V4a1.5 1.5 0 1 1 3 0v4.5h2a1 1 0 0 1 1 1h2a1 1 0 0 1 1 1H18a1.5 1.5 0 0 1 1.5 1.5v3.099c0 .929-.13 1.854-.385 2.748L17.5 23.5h-9c-1.5-2-5.417-8.673-5.417-8.673a1.2 1.2 0 0 1 1.76-1.605L7.5 15.5zm6-6v2m-3-3.5v3.5m6-1v2"/>
</svg>
</div>
        <a class="floating-header-share-tw" href="https://twitter.com/share?text=QNAP%20NAS%20users%2C%20make%20sure%20you%20check%20your%20system&amp;url=https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/"
            onclick="window.open(this.href, 'share-twitter', 'width=550,height=235');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
        </a>
        <a class="floating-header-share-fb" href="https://www.facebook.com/sharer/sharer.php?u=https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/"
            onclick="window.open(this.href, 'share-facebook','width=580,height=296');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M19 6h5V0h-5c-3.86 0-7 3.14-7 7v3H8v6h4v16h6V16h5l1-6h-6V7c0-.542.458-1 1-1z"/></svg>
        </a>
    </div>
    <progress id="reading-progress" class="progress" value="0">
        <div class="progress-container">
            <span class="progress-bar"></span>
        </div>
    </progress>
</div>




        <footer class="site-footer outer">
            <div class="site-footer-content inner">
                <section class="copyright"><a href="https://blog.netlab.360.com">360 Netlab Blog - Network Security Research Lab at 360</a> &copy; 2021</section>
                <nav class="site-footer-nav">
                    <a href="https://blog.netlab.360.com">Latest Posts</a>
                    
                    <a href="https://twitter.com/360Netlab" target="_blank" rel="noopener">Twitter</a>
                    <a href="https://ghost.org" target="_blank" rel="noopener">Ghost</a>
                </nav>
            </div>
        </footer>

    </div>


    <script>
        var images = document.querySelectorAll('.kg-gallery-image img');
        images.forEach(function (image) {
            var container = image.closest('.kg-gallery-image');
            var width = image.attributes.width.value;
            var height = image.attributes.height.value;
            var ratio = width / height;
            container.style.flex = ratio + ' 1 0%';
        })
    </script>


    <script
        src="https://code.jquery.com/jquery-3.2.1.min.js"
        integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
        crossorigin="anonymous">
    </script>
    <script type="text/javascript" src="/assets/built/jquery.fitvids.js?v=db215a41fd"></script>


    <script>
// Adds delay to author card dropups to disappear. This gives enough
// time for the user to interact with the author card while they move
// the mouse from the avatar to the card. Also makes space for the
// interacted avatar.
$(document).ready(function () {

    var hoverTimeout;

    $('.author-list-item').hover(function(){
        var $this = $(this);

        clearTimeout(hoverTimeout);

        $('.author-card').removeClass('hovered');
        $(this).children('.author-card').addClass('hovered');

    }, function() {
        var $this = $(this);

        hoverTimeout = setTimeout(function() {
            $this.children('.author-card').removeClass('hovered');
        }, 800);
    });

});
</script>

    <script>

        // NOTE: Scroll performance is poor in Safari
        // - this appears to be due to the events firing much more slowly in Safari.
        //   Dropping the scroll event and using only a raf loop results in smoother
        //   scrolling but continuous processing even when not scrolling
        $(document).ready(function () {
            // Start fitVids
            var $postContent = $(".post-full-content");
            $postContent.fitVids();
            // End fitVids

            var progressBar = document.querySelector('#reading-progress');
            var header = document.querySelector('.floating-header');
            var title = document.querySelector('.post-full-title');

            var lastScrollY = window.scrollY;
            var lastWindowHeight = window.innerHeight;
            var lastDocumentHeight = $(document).height();
            var ticking = false;

            function onScroll() {
                lastScrollY = window.scrollY;
                requestTick();
            }

            function onResize() {
                lastWindowHeight = window.innerHeight;
                lastDocumentHeight = $(document).height();
                requestTick();
            }

            function requestTick() {
                if (!ticking) {
                    requestAnimationFrame(update);
                }
                ticking = true;
            }

            function update() {
                var trigger = title.getBoundingClientRect().top + window.scrollY;
                var triggerOffset = title.offsetHeight + 35;
                var progressMax = lastDocumentHeight - lastWindowHeight;

                // show/hide floating header
                if (lastScrollY >= trigger + triggerOffset) {
                    header.classList.add('floating-active');
                } else {
                    header.classList.remove('floating-active');
                }

                progressBar.setAttribute('max', progressMax);
                progressBar.setAttribute('value', lastScrollY);

                ticking = false;
            }

            window.addEventListener('scroll', onScroll, { passive: true });
            window.addEventListener('resize', onResize, false);

            update();

        });
    </script>


    

</body>
</html>
